sid :-) hs12
authorHeiko Schlittermann <hs@schlittermann.de>
Mon, 14 Sep 2009 17:18:46 +0200
branchhs12
changeset 2 0e4dd7478d70
parent 1 acac1ec01fd8
child 3 23a6e0a1407e
sid :-)
check-cert.pl
--- a/check-cert.pl	Mon Sep 14 16:18:34 2009 +0200
+++ b/check-cert.pl	Mon Sep 14 17:18:46 2009 +0200
@@ -10,13 +10,19 @@
 use IPC::Open2;
 use Date::Manip;
 use POSIX ":sys_wait_h";
+use feature qw(:5.10);
 use lib "/usr/lib/nagios/plugins";
 use utils qw (%ERRORS &print_revision &support);
 
 my $ME        = basename $0;
+my $USAGE = <<EOF;
+Usage: $ME [-b <binary>] [-i init] [-d <path>] [-w <time>] [-c <time>] [-s <signature algorithm>] [-e <file,file,file,...>]
+       $ME [-h | --help]
+       $ME [-V | --version]
+EOF
 my $VERSION   = "0.4";
 my $hash_file = "/var/tmp/" . basename($0) . ".known.db";
-my %known;
+my (%known, %excluded);
 my %certs = ();
 my $no_print =
 "no_header,no_version,no_serial,no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_extensions";
@@ -24,8 +30,7 @@
     "openssl",  "x509",      "-noout",   "-text",
     "-certopt", "$no_print", "-subject", "-enddate"
 );
-my @cmd_pkcs12 =
-  ("openssl", "pkcs12", "-clcerts", "-nokeys", "-nomacver", "-passin", "pass:");
+my @cmd_pkcs12 = qw(openssl pkcs12 -clcerts -nokeys -nomacver -passin pass:);
 my @cmd_pipe = (
     "openssl",  "x509",    "-noout",   "-text",
     "-certopt", $no_print, "-subject", "-enddate"
@@ -49,6 +54,7 @@
 sub process_file();
 sub print_help();
 sub print_usage();
+sub get_id(;$);
 
 MAIN: {
 
@@ -74,10 +80,14 @@
 
     # initiate file-data hash
     %known = () if $opt_init;
+	@excluded{@opt_exclude} = ();
 
     find({ wanted => \&process_file }, $opt_directory);
 
+	exit;
+
     # calculate the time
+	# $w_time = time() + 4 * 7 * 86400;
     $w_time = DateCalc("today", "+ $opt_warning");
     $c_time = DateCalc("today", "+ $opt_critical");
 
@@ -138,32 +148,32 @@
     exit;
 }
 
+sub get_id(;$) { return join " ", (@_ ? stat($_[0]) : stat(_))[7, 9] }
+
 sub process_file() {
+
+	return if exists $excluded{$File::Find::name};
     return if not -f;
 
-    my $id             = join " ", (stat)[7, 9];
+    my $id             = get_id();
     my $is_certificate = 0;
     my $in_cert        = 0;
     my @cert           = ();
     my ($rc, $temp, $signature, $subject, $enddate);
 
     # excluded files
-    @opt_exclude = split(/,/, join(',', @opt_exclude)) if @opt_exclude;
-    foreach my $exclude_file (@opt_exclude) {
-        if ($exclude_file eq $File::Find::name) {
-            $known{$File::Find::name} = $id;
-            return;
-        }
-    }
+	# @opt_exclude = split(/,/, join(',', @opt_exclude)) if @opt_exclude;
 
     return
       if exists $known{$File::Find::name}
           and $known{$File::Find::name} eq $id;
 
+	  #say $File::Find::name;
     # checking for pkcs12 certificates
+
+	if (0) {
     my @cmd_pkcs12_current = @cmd_pkcs12;
     push @cmd_pkcs12_current, "-in", $File::Find::name, "2>/dev/null";
-
     my $cid = open(FILE, "@cmd_pkcs12_current |") || die "Can't fork: $!";
 
     while (<FILE>) {
@@ -196,36 +206,29 @@
         $known{$File::Find::name} = $id if not($is_certificate);
         return;
     }
-
-    open(FILE, $File::Find::name) or die "can't open $_: $!";
-
-    while (<FILE>) {
+}
 
-        # cheking for x509 certificates
-        if ($in_cert) {
-            push @cert, $_;
-            if (/^-----END CERTIFICATE-----$/) {
-                $in_cert = 0;
+    open(FILE, $_) or die "can't open $File::Find::name: $!";
+	my $file = join "", <FILE>;
+	close(FILE);
+
+	while ($file =~ /^(-+BEGIN CERTIFICATE.*?-+END CERTIFICATE-+)$/msg) {
 
-                # open filehandles (for read and write)
-                local (*READ, *WRITE);
-                my $cid = open2(\*READ, \*WRITE, @cmd_x509)
-                  or die "Can' fork: $!\n";
-                print WRITE @cert;
-                close(WRITE);
-                @cert = ();
+			# open filehandles (for read and write)
+			local (*READ, *WRITE);
+			my $cid = open2(\*READ, \*WRITE, @cmd_x509)
+			  or die "Can' fork: $!\n";
+			print WRITE $1;
+			close(WRITE);
 
-                while (<READ>) {
-                    /Signature\sAlgorithm:\s(.*)\s+$/ and $signature = $1;
-                    /^subject=\s+(.*)$/               and $subject   = $1;
-                    /^notAfter=(.*)\s+$/              and $enddate   = $1;
-                }
-                close(READ);
+			while (<READ>) {
+				/Signature\sAlgorithm:\s(.*)\s+$/ and $signature = $1;
+				/^subject=\s+(.*)$/               and $subject   = $1;
+				/^notAfter=(.*)\s+$/              and $enddate   = $1;
+			}
+			close(READ);
 
-                # waiting for child processes
-                do {
-                    $cid = waitpid(-1, WNOHANG);
-                } while $cid > 0;
+			waitpid($cid, 0) < 0 and die "no child with pid $cid\n";
 
                 if ($opt_debug) {
                     print "-----\n";
@@ -239,41 +242,30 @@
                     @{ $certs{$File::Find::name} },
                     ($subject, $enddate, $signature)
                 );
-                $is_certificate = 1;
-                next;
-            }
+
+				$is_certificate = 1;
         }
 
-        if (/^-----BEGIN CERTIFICATE-----$/) {
-            $in_cert = 1;
-            push @cert, $_;
-            next;
-        }
-    }
-
     $known{$File::Find::name} = $id if not($is_certificate);
-    close(FILE);
 }
 
-sub print_usage() {
-    print "Usage:\n";
-    print
-"  $ME [-b <binary>] [-i init] [-d <path>] [-w <time>] [-c <time>] [-s <signature algorithm>] [-e <file,file,file,...>]\n";
-    print "  $ME [-h | --help]\n";
-    print "  $ME [-V | --version]\n";
-}
+
+sub print_usage() { print $USAGE };
 
 sub print_help() {
     print_revision($ME, $VERSION);
-    print "Copyright (c) 2009 Christian Arnold\n\n";
-    print "This plugin checks the expire date for openssl certificates.\n\n";
-    print_usage();
-    print "\n";
-    print "  -b, --binary <binary>\n";
-    print "     Path of openssl binary (default: /usr/bin/openssl)\n";
-    print "  -d, --directory <path>\n";
-    print
-"     Absolute directory path in which will be recursively search for certificate files (default: /etc).\n";
+print <<EOF;
+Copyright (c) 2009 Christian Arnold
+
+This plugin checks the expire date for openssl certificates.
+
+$USAGE
+	-b, --binary <binary>
+          Path of openssl binary (default: /usr/bin/openssl)
+	-d, --directory <path>
+EOF
+
+print "Absolute directory path in which will be recursively search for certificate files (default: /etc).\n";
     print "  -w, --warning <time>\n";
     print
 "     Certificat should not be more than this time older (default: 1month).\n";